OpenStack Dashboard (Horizon)

Horizon exposes internal IP addresses via keystone/svc-catalog API

Bug #1798832 reported by Oleksiy Petrenko on 2018-10-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Fix Released	Undecided	Oleksiy Petrenko

Bug Description

Example url: https://<horizon>/api/keystone/svc-catalog/

Different application responses contain resource links which disclose internal IP addresses. Threat actors could learn valuable information and plan further attacks on disclosed systems. Horizon should avoid including internal IP addresses in application responses

Oleksiy Petrenko (enacero) on 2018-10-19

Changed in horizon:
assignee:	nobody → Oleksiy Petrenko (enacero)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-24: Fix merged to horizon (master)

Reviewed: https://review.openstack.org/611819
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=31718cd1afe9bf115dbe09b0d232a5d9ae13ae61
Submitter: Zuul
Branch: master

commit 31718cd1afe9bf115dbe09b0d232a5d9ae13ae61
Author: Alex Petrenko <email address hidden>
Date: Fri Oct 19 12:10:38 2018 +0300

Refactor app response for api request '/api/keystone/svc-catalog'

Add filtration for service catalog. Now all endpoints that are not
public will not be seen.

Change-Id: I6db214f849d13c4c71e176f00113e889ff2d2997
Closes-Bug: #1798832

Changed in horizon:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-25: Fix included in openstack/horizon 15.0.0.0b1

This issue was fixed in the openstack/horizon 15.0.0.0b1 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.